Snare/Tanner: Connection Reset Error When Testing LFI/SQLi

[magically-delicious12]

Hey there! I'm troubleshooting how Snare and Tanner interact within T-Pot and wanted to clarify how events are forwarded.

From my understanding, if no custom configuration is applied, Snare should send all events to the default Tanner instance hosted at https://tanner.mushmush.org/. However, I’m trying to confirm whether Snare in T-Pot is expected to forward events to the local Tanner container inside T-Pot itself or directly to the MushMush-hosted Tanner instance.

To better understand how Tanner/Snare works, I attempted an LFI attack against my T-Pot Snare honeypot using:
http://my-honeypot-ip/?x=/etc/passwd

I found a research paper (https://arxiv.org/pdf/2105.04773, page 5) that suggests this should trigger a response, but instead, Firefox returns: "The connection was reset."

I’ve encountered the same error when testing SQL injection via login fields (e.g., using 'OR 1=1' as a username). Further, neither tanner.err nor snare.err show any obvious errors after trying these attacks.

Could this be due to Snare being misconfigured on my end and failing to send events to the correct Tanner instance? If so, where should I check/update Snare’s event forwarding settings? Any guidance or clarification would be appreciated. Thanks!